subject:"\[openstack\-dev\] \[murano\] \[congress\] Congress needs to fetch environments from all tenants."

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

2015-07-13 Thread Filip Blaha

Hi Tim,

The change was already merged to master. Withe next release of
python-muranoclient it can be used in Congress.

Regards
Filip

On 07/08/2015 03:57 PM, Tim Hinrichs wrote:

There are two things to remember here.

1) When you configure the Congress datasource driver to talk to
Murano, you choose which user rights Congress should use. If you need
to get all of the tenants data, you want to choose an admin user for
the Murano driver. Personally I always use admin users so that I can
write policy over everything. Typically we think of Congress as an
admin tool.

2) As you point out, if the Murano driver doesn't provide
all_tenants=true argument when it makes the API call into Murano, it
won't get all the data for all the tenants; it'll only get the data
for the user you provided in (1). Ideally whether all_tenants=true
would be a datasource configuration option, but it's not today. The
datasource drivers I've looked at all use all_tenants=true.

Tim

On Wed, Jul 8, 2015 at 5:16 AM Kirill Zaitsev > wrote:

1) This does raise a security concern. We can however cover it
with a separate policy-based permission, that would check if a
user can view all tenants. nova seem to do so, see:

https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13

2) Will give it some thought, but it does seem like an ok practice.

--
Kirill Zaitsev

Murano team
Software Engineer
Mirantis, Inc

On 8 Jul 2015 at 14:44:51, Filip Blaha (filip.bl...@hp.com
) wrote:

Hi all,

I started implement bp [1]. Problem is that congress needs data
about
environments from all tenants but murano API lists only
environments of
user's current tenant. We decided to ipmplement it similarly like
listing servers in nova where is query parameter all_tenants=true
for
that (user must be admin) I have 2 questions about that:

1) Are there any security concerns about this approach?
2) Has someone better idea how to implement this?

[1]
https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search

Regards
Filip

OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

2015-07-13 Thread Filip Blaha


Hi Dolph

Thanks for idea. Is this approach used somewhere for similar use-case I 
described? If so please point it out. Thanks


Filip

On 07/10/2015 04:57 PM, Dolph Mathews wrote:
How about using domain-based role assignments in keystone and 
requiring domain-level authorization in policy, and then only 
returning data about the collection of tenants that belong to the 
authorized domain? That way you don't have an API that violates 
multi-tenant isolation, consumable only by cloud operators.


On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha > wrote:


Hi all,

I started implement bp [1]. Problem is that congress needs data
about environments from all tenants but murano API lists only
environments of user's current tenant. We decided to ipmplement it
similarly like listing servers in nova where is query parameter
all_tenants=true for that (user must be admin) I have 2 questions
about that:

1) Are there any security concerns about this approach?
2) Has someone better idea how to implement this?

[1]
https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search

Regards
Filip



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

2015-07-10 Thread Tim Hinrichs

We sometimes want the ability to write policy across tenants, e.g. VMs from
Coke and Pepsi must always be deployed on different hosts.

I didn't think there were any roles that could see everything without
all_tenants=true.  If there are such roles, I'd be happy to remove the
all_tenants=true from the datasource drivers.

Tim


On Fri, Jul 10, 2015 at 8:00 AM Dolph Mathews 
wrote:

> How about using domain-based role assignments in keystone and requiring
> domain-level authorization in policy, and then only returning data about
> the collection of tenants that belong to the authorized domain? That way
> you don't have an API that violates multi-tenant isolation, consumable only
> by cloud operators.
>
> On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha  wrote:
>
>> Hi all,
>>
>> I started implement bp [1]. Problem is that congress needs data about
>> environments from all tenants but murano API lists only environments of
>> user's current tenant. We decided to ipmplement it similarly like listing
>> servers in nova where is query parameter all_tenants=true for that (user
>> must be admin) I have 2 questions about that:
>>
>> 1) Are there any security concerns about this approach?
>> 2) Has someone better idea how to implement this?
>>
>> [1]
>> https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search
>>
>> Regards
>> Filip
>>
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

2015-07-10 Thread Dolph Mathews

How about using domain-based role assignments in keystone and requiring
domain-level authorization in policy, and then only returning data about
the collection of tenants that belong to the authorized domain? That way
you don't have an API that violates multi-tenant isolation, consumable only
by cloud operators.

On Wed, Jul 8, 2015 at 6:27 AM, Filip Blaha  wrote:

> Hi all,
>
> I started implement bp [1]. Problem is that congress needs data about
> environments from all tenants but murano API lists only environments of
> user's current tenant. We decided to ipmplement it similarly like listing
> servers in nova where is query parameter all_tenants=true for that (user
> must be admin) I have 2 questions about that:
>
> 1) Are there any security concerns about this approach?
> 2) Has someone better idea how to implement this?
>
> [1]
> https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search
>
> Regards
> Filip
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

2015-07-08 Thread Rui Chen

AFAIK nova and cinder support --all-tenants when we list servers and
volumes, it's a admin only operation, like Kirill point out in above
comments.

And in the other side I think we should be careful to use this option,
because the huge results are pulled at one time when we want to get the
cross tenant data. Think about, we get all tenant's servers or volumes.

In Congress, admin user need a whole cloud data views so that using policy
to find out some conflict between different tenants, for example, tenant
A's ports is attached on tenant B's servers.

I think it's should be OK to support all-tenants in Murano.



2015-07-08 21:57 GMT+08:00 Tim Hinrichs :

> There are two things to remember here.
>
> 1) When you configure the Congress datasource driver to talk to Murano,
> you choose which user rights Congress should use.  If you need to get all
> of the tenants data, you want to choose an admin user for the Murano
> driver.  Personally I always use admin users so that I can write policy
> over everything.  Typically we think of Congress as an admin tool.
>
> 2) As you point out, if the Murano driver doesn't provide all_tenants=true
> argument when it makes the API call into Murano, it won't get all the data
> for all the tenants; it'll only get the data for the user you provided in
> (1).  Ideally whether all_tenants=true would be a datasource configuration
> option, but it's not today.  The datasource drivers I've looked at all use
> all_tenants=true.
>
> Tim
>
>
>
>
> On Wed, Jul 8, 2015 at 5:16 AM Kirill Zaitsev 
> wrote:
>
>> 1) This does raise a security concern. We can however cover it with a
>> separate policy-based permission, that would check if a user can view all
>> tenants. nova seem to do so, see:
>> https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13
>>
>> 2) Will give it some thought, but it does seem like an ok practice.
>>
>> --
>> Kirill Zaitsev
>> Murano team
>> Software Engineer
>> Mirantis, Inc
>>
>> On 8 Jul 2015 at 14:44:51, Filip Blaha (filip.bl...@hp.com) wrote:
>>
>> Hi all,
>>
>> I started implement bp [1]. Problem is that congress needs data about
>> environments from all tenants but murano API lists only environments of
>> user's current tenant. We decided to ipmplement it similarly like
>> listing servers in nova where is query parameter all_tenants=true for
>> that (user must be admin) I have 2 questions about that:
>>
>> 1) Are there any security concerns about this approach?
>> 2) Has someone better idea how to implement this?
>>
>> [1]
>>
>> https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search
>>
>> Regards
>> Filip
>>
>>
>>
>> __
>>
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

2015-07-08 Thread Tim Hinrichs

There are two things to remember here.

1) When you configure the Congress datasource driver to talk to Murano, you
choose which user rights Congress should use.  If you need to get all of
the tenants data, you want to choose an admin user for the Murano driver.
Personally I always use admin users so that I can write policy over
everything.  Typically we think of Congress as an admin tool.

2) As you point out, if the Murano driver doesn't provide all_tenants=true
argument when it makes the API call into Murano, it won't get all the data
for all the tenants; it'll only get the data for the user you provided in
(1).  Ideally whether all_tenants=true would be a datasource configuration
option, but it's not today.  The datasource drivers I've looked at all use
all_tenants=true.

Tim

On Wed, Jul 8, 2015 at 5:16 AM Kirill Zaitsev  wrote:

> 1) This does raise a security concern. We can however cover it with a
> separate policy-based permission, that would check if a user can view all
> tenants. nova seem to do so, see:
> https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13
>
> 2) Will give it some thought, but it does seem like an ok practice.
>
> --
> Kirill Zaitsev
> Murano team
> Software Engineer
> Mirantis, Inc
>
> On 8 Jul 2015 at 14:44:51, Filip Blaha (filip.bl...@hp.com) wrote:
>
> Hi all,
>
> I started implement bp [1]. Problem is that congress needs data about
> environments from all tenants but murano API lists only environments of
> user's current tenant. We decided to ipmplement it similarly like
> listing servers in nova where is query parameter all_tenants=true for
> that (user must be admin) I have 2 questions about that:
>
> 1) Are there any security concerns about this approach?
> 2) Has someone better idea how to implement this?
>
> [1]
> https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search
>
> Regards
> Filip
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

2015-07-08 Thread Kirill Zaitsev

1) This does raise a security concern. We can however cover it with a separate 
policy-based permission, that would check if a user can view all tenants. nova 
seem to do so, see: 
https://github.com/openstack/nova/blob/4209d0140774adf3e162b7bde3cbd6b417065dd5/etc/nova/policy.json#L13

2) Will give it some thought, but it does seem like an ok practice.

-- 
Kirill Zaitsev
Murano team
Software Engineer
Mirantis, Inc

On 8 Jul 2015 at 14:44:51, Filip Blaha (filip.bl...@hp.com) wrote:

Hi all,  

I started implement bp [1]. Problem is that congress needs data about  
environments from all tenants but murano API lists only environments of  
user's current tenant. We decided to ipmplement it similarly like  
listing servers in nova where is query parameter all_tenants=true for  
that (user must be admin) I have 2 questions about that:  

1) Are there any security concerns about this approach?  
2) Has someone better idea how to implement this?  

[1]  
https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search  

Regards  
Filip  



__  
OpenStack Development Mailing List (not for usage questions)  
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe  
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev  
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

2015-07-08 Thread Filip Blaha


Hi all,

I started implement bp [1]. Problem is that congress needs data about 
environments from all tenants but murano API lists only environments of 
user's current tenant. We decided to ipmplement it similarly like 
listing servers in nova where is query parameter all_tenants=true for 
that (user must be admin) I have 2 questions about that:


1) Are there any security concerns about this approach?
2) Has someone better idea how to implement this?

[1] 
https://blueprints.launchpad.net/murano/+spec/murano-api-all-tenants-search


Regards
Filip



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

Re: [openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

[openstack-dev] [murano] [congress] Congress needs to fetch environments from all tenants.

8 matches

Site Navigation

Mail list logo

Footer information